On Mon, 2013-07-22 at 09:23 -0700, Stephen Ingram wrote:
> On Mon, Jul 22, 2013 at 12:18 AM, Martin Kosek <mko...@redhat.com>
> wrote:
>         On 07/20/2013 02:51 AM, Stephen Ingram wrote:
>         > Is there a way to disable the forms-based login to the WebUI
>         and require a
>         > Kerberos ticket?
>         >
>         > Steve
>         Hello,
>         No, this is currently not possible. Stephen, can you please
>         describe your use
>         case why you want it to be off? This would allow us to
>         consider this as an
>         enhancement for future.
> I certainly understand why the feature was added as many devices do
> not have the capability of acquiring a Kerberos ticket. If we want to
> restrict access to devices that *can* acquire a ticket, this would
> prevent credentials from being sent over the wire (even if over a
> secure link), and, thus, provide for increased security. If I'm
> correct about how this form works, it only requires credentials to be
> sent once and then it requests a ticket on the user's behalf. While
> this is better than sending them with each request, it still presents
> an opportunity where credentials can be intercepted, no?

Your's is a valid concern.
Please open a RFE ticket to make the form-based login page/mechanism


Simo Sorce * Red Hat, Inc * New York

Freeipa-users mailing list

Reply via email to